If I receive an email with a plain text generated password (in response to a password reset request), is this a vulnerability? The password expires after one use, in other words the user has to change their password as soon as they register.

I could imagine that such an password reset scheme would at least be vulnerable to a man in the middle attack. The man in the middle could get the temp password and then lock out the user with a new password. But is there perhaps another vulnerability?

The "password" which you get for resetting accounts are actually most of the times "unique" strings. The problem may occur on how these strings are generated. For example if the string is not generated randomly enough like this $code = md5(time()); then you may be vulnerable so that the attacker can "guess" by using some bruteforce-fu.
–
HamZaMay 15 '13 at 22:10

2 Answers
2

I don't think it's a vulnerability. When you think about it as a password sent in plaintext, then yes it's understandable to think there's a vulnerability here, but it's not a password.

Sending you a link like https://example.com/reset.php?code=97fy978y39fny39478fyn3 which is a one-time link that you click to be taken to a password reset form in which you type your new password, is essentially the same as sending you a one-time password, they just took the code from the link and called it a temporary password.
The idea itself isn't vulnerable, but the incorrect implementation mostly is.

Update: You're correct, email is outside the scope of the implementation, but then we'd go completely off-topic. We can discuss that the whole system is broken, but there's no other option. They could send you the code in an SMS, but what if your friend was holding your mobile? They could send it to your mailbox (kind of silly) but what if somebody opened your mailbox? The only secure option left is that they send a representative of the company to go to your address and ask you for your ID and take your fingerprints (which you've given on the registration form) and then reset your password.

You see, the email is de facto way to contact the original account owner, so that's the best they can do.

All in all, I was just trying to show you that the security of the plaintext one-time password is exactly the same as the one-time link used by almost all web services (Facebook, Twitter, StackExchange, ...)

You say the idea is not vulnerable, only an incorrect implementation, however one detail is outside the implementation, the email access. There is no way for the implementation to ensure that the email client is using https.
–
dasPingMay 15 '13 at 22:38

Storing the user-agent that requested the token along with it, and making sure the same UA access the link is going to improve the security at all or not? Or it's an unecessary layer?
–
JCMJan 22 '14 at 18:10

@AbsoluteƵERØ reading that article, two points 1) you're mixing terms I'm talking about one time passwords in the sense that OP used it not in the sense of google authenticator, second whilst that article has a rather inflammatory title, if you read the text of it, it says that google authenticator style OTP is a lot better than any single factor solution (e.g. anything that is just username/password)
–
Rоry McCuneMay 17 '13 at 6:50